Solved: Prioritize VoIP on ASA

NInja Black · ‎06-18-2014

Hi,

We have an ASA 5515 connected to the ISP router. Being a call center I wanted to prioritize VoIP traffic. First of all is there a need to do this. We have comcast pipe of 50Mbps which is more than enough. I had the firewall set up 2 weeks ago and am facing no issues so far. We use Five9 softphones. I alread have inspect sip in the global policy. Yet little concerned and wanted to know what needs to be done in order to achieve QoS..

Any insight is grealy appreciated.

Marius Gunnerud · ‎06-22-2014

Not a stupid question at all.

The ASA can only provide low latency queuing (LLQ) and not the more advanced QoS features that routers have...such as WFQ, CBWFQ. So doing bandwidth reservation is not possible.

You can however adjust the queue size and the transmit (tx) rate. And you could prioritize VOIP traffic but the then police all other traffic to a value lower than the total bandwidth...That way if there is a bandwidth hog in the default class you would still have 20% or so bandwidth allocated for the VOIP class. So, lets say you have a 3Mb line and you want to limit default traffic to 2Mb and leave the remaining for VOIP. That setup would look something like the following:

class-map voip-inside-class
description VoIP traffic
match dscp ef

      policy-map voip-inside-policy
        description voip on inside interface
        class voip-inside-class
          priority
        class class-default
          shape average 2000000 8192

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎06-18-2014

I would suggest configuring QoS...especially if the users will also be allowed to access the internet. You never know how much video streaming users will be doing especially now during the football world cup...and similar events.

Just keep in mind that QoS is not supported on ASAs running in multiple context mode, only supported in single mode

The following links gives a good example of how to configure QoS on the ASA. The first link says it is for ASA 7.x but the syntax is the same for the other versions as well.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82310-qos-voip-vpn.html

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/conns_qos.html

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

NInja Black · ‎06-21-2014

Thanks for the reply Marius.

I have the following QOS planned and have few questions below

class-map voip-inside-class
description VoIP traffic
match dscp 34 24 46

      policy-map voip-inside-policy
        description voip on inside interface
        class voip-inside-class
          priority
          user-statistics accounting

service-policy voip-inside-policy interface inside

- Does dscp 34 24 46 cover all voip traffic?

- Which interface should it be applied to? I got inside.

- Shouldn't the priority statement have a % range? I read that in policing/traffic shaping ranges can be set. How to set range in priority queuing?

Marius Gunnerud · ‎06-21-2014

Normally when dealing with VOIP I only match on DSCP 46 (EF) when doing priority. If you match on 34 and 23 you will also be prioritizing traffic that technically should not be prioritized.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

NInja Black · ‎06-21-2014

Understood. Will remove the dscp 24 and 34.

But shouldn't there be a priority percentage to specify bandwidth to be utilized by the traffic?

By my config voip is given priority but in case a huge file transfer is utilizing all of the bandwidth can't I reserve atleast 20% of the total bandwidth such that voip calls don't get effected.

I apologize if my question is stupid. Want to make sure it works the way I understand it.

Appreciate your response.

Marius Gunnerud · ‎06-22-2014

Not a stupid question at all.

The ASA can only provide low latency queuing (LLQ) and not the more advanced QoS features that routers have...such as WFQ, CBWFQ. So doing bandwidth reservation is not possible.

You can however adjust the queue size and the transmit (tx) rate. And you could prioritize VOIP traffic but the then police all other traffic to a value lower than the total bandwidth...That way if there is a bandwidth hog in the default class you would still have 20% or so bandwidth allocated for the VOIP class. So, lets say you have a 3Mb line and you want to limit default traffic to 2Mb and leave the remaining for VOIP. That setup would look something like the following:

class-map voip-inside-class
description VoIP traffic
match dscp ef

      policy-map voip-inside-policy
        description voip on inside interface
        class voip-inside-class
          priority
        class class-default
          shape average 2000000 8192

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

NInja Black · ‎06-22-2014

Marius, You are awesome!!! Thanks!

Mohammed Yusuf · ‎12-13-2016

Hi Marius,

I am trying to follow your example on ASA 5505 9.3.1 Version. I could do run the commands up to here

class-map voip-inside-class
description VoIP traffic
match dscp ef

policy-map voip-inside-policy
description voip on inside interface
class voip-inside-class
priority

Class class-default

but unable to find

shape average 2000000 8192

would you please advise what will it achive? as I have been searching QOS on ASA for VoIP traffic or may be limit it to 6mb.

Marius Gunnerud · ‎12-25-2016

In newer versions of ASA shaping is not supported, and therefore you will only be able to police traffic.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Mohammed Yusuf · ‎12-25-2016

Thanks Marius.

what is the best way for voip? Is policing better or prioritising better on Asa?

Marius Gunnerud · ‎12-27-2016

The best for VOIP is to prioritize. Policing should never really be used for time sensitive traffic.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

RolandNyalundja9197 · ‎08-28-2019

ERROR: Shape not allowed with legacy priority in the same policy-map
---------
This is the message appears when i run this configuration.
Any ideas to fix it ?

nkarthikeyan · ‎06-21-2014

Hi,

Please perform the below mentioned changes in your FW.

class-map voip-inside-class
description VoIP traffic
match dscp ef

!

expedited forwarding is the term which is used voip ptraffic. So this will do as you need.

Traffic Type	Layer 2 CoS	Layer 3 IP Precedence	Layer 3 DSCP
Voice RTP¹	5	5	EF
Voice control	3	3	AF31
Video conference	4	4	AF41
Streaming video (IP/TV)	1	1	AF13
Data	0-2	0-2	0-AF23

NInja Black · ‎06-22-2014

Thanks for the table Karthik. Very helpful!